Exam AZ-301 topic 9 question 3 discussion

I believe we shall use Traffic Manager (for region failure), and standard load balancer ( SLA 99.99% with HA, and used over availability zone).

Ensure that each tier of the payment processing system is subject to a Service level Agreement (SLA) of 99.9 percent availability Standard Load Balancer have a SLA of 99.9%, but Basic one have not. https://docs.microsoft.com/ja-jp/azure/load-balancer/load-balancer-overview#skus

Pass-through authentication Traffic Manager and Standard Load Balancer

i believe the authentication part is for the .net which will connect to the user and the cosmosDB so it should be using traffic manager and STD LB

Password hashes must be stored on-premises only hence pass through authentication is correct Infrastructure services must remain available if a region or a data center fails. Failover must occur without any administrative intervention.traffic maanger is correct as its regional availablity. Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent availability. hence standard laod balancer as basic does not have any SLA https://docs.microsoft.com/en-us/azure/load-balancer/skus

I wrapping my head around this questions and came to a conclusion, that they have nothing in common. In the first one they are probably asking about what mode you will use if the solution will be azure ad connect and the correct answer is pass-through ... And in the second one, where by "authentication solution" they are referencing to ADFS based one. And here the App gateway for LB of WAP and Standard LB for ADFS server is a valid configuration.

Pass-through authentication Traffic Manager and Standard Load Balancer correct answer.

how does AGW protect against a regional outage? I think it should be Traffic manager and standards loadbalancer (region, datacenters)

Answer is correct .. PTA .. because "The IT security team wants to ensure that identity management is performed by using Active Directory. Password hashes must be stored on-premises only."

1st is definitely pass through authentication. 2nd one answer is Traffic Manager and Std LB. TM- for resolving regional outages Std LB: due to 99.99% SLA requirement.

1. Pass-through authentication 2. Traffic Manager and standard Load Balancer

for me 2nd Box is AAG with SLB. Reason: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant "Zone redundancy: An Application Gateway or WAF deployment can span multiple Availability Zones, REMOVING THE NEED to provision separate Application Gateway instances in each zone WITH A TRAFFIC MANAGER.

a. Contoso hosts a business-critical payment processing system in its New York data center b. The payment processing system has the following compliance-related requirements: Keep backups of the data in two separate physical locations that are at least 200 miles apart.... c. Ensure that each tier of the payment processing system is subject to a Service Level Agreement (SLA) of 99.99 percent (22B2) availability d. Require HTTPS For Second Box, it has to be App Gateway and Standard Load balancer ?

Guys. We use this exact authentication technique in our environment. 1. Pass-through authentication 2. Traffic Manager and basic authentication

This question is extremely ambiguous but I will be going with Box 1: ADFS Box 2: Traffic Manager + Standard load balancer Here is the reasoning ADFS - I would say is implied by this statement "The IT security team wants to ensure that identity management is performed by using Active Directory" Specifically "Active directory" as opposed to Azure AD. With ADFS your authentication request is handed off the the ADFS system and system and once you have your token you are redirected back to the application and thus you're request was handled by on premise AD. With PTA your authentication is queued to be handled by Azure AD, I grant that it is handled then by an on premise agent with compares creds to what is stored in AD but ultimately the access token is then finally handled by Azure AD. Secondly, it only makes sense given that it then goes on to ask us to load balance the authentication solution. I think we can all agree there is no requirement to load balance PTA or even possibility too. The Second box I think is more self-explanatory, given the need to multi-region redundancy we require traffic manager. And a standard load balancer to satisfy the SLA 99.99%.

No such thing as load balancing with PTA https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-pass-through-authentication-provide-load-balancing-across-multiple-authentication-agents Does Pass-through Authentication provide load balancing across multiple Authentication Agents? No, installing multiple Pass-through Authentication Agents ensures only high availability. It does not provide deterministic load balancing between the Authentication Agents. Any Authentication Agent (at random) can process a particular user sign-in request.

This question has gotten me crazy. This is the only way I can reason it: The authentication solution is AZ Active Directory, with pass through feature to avoid hash storing. Nothing points towards a federated solution, since they are users from the same organisation. To authenticate users against cloud services I will use App identity and user access defined in AZ AD. Thus, there the load balancing it mentions it is impossible to be applied to AZ AD connect, which is managed by Microsoft. It is not an active-active load balancing but rather is referring to load balancing in case of a failure, fact that is repeated all over the statement. In such case, Traffic Manager and Standard Version. Standard version because basic does not support HTTPS and there is the requirement of the data to be encrypted at all times.